On Wednesday 11 Apr 2012 15:33:06 you wrote:
> Hi Mick,
>
> Actually I had tried that before without success. I had asked the telecom
> company to tell me what they see from their end and eventually they got
> back to me today and told me that they see that phase 1 is completed
> successfully but my side does not send the proper parameters for phase 2,
> in fact they said that they do not see any parameters being sent for phase
> 2 but I think the definition is correct:
I would expect to see something about quick mode starting, indicating that
phase 2 negotiation takes place.
> sainfo anonymous
> {
> #pfs_group 2;
Have you tried uncommenting the pfs_group directive above?
> lifetime time 28800 sec;
I don't think that this is correct ... shouldn't it be 3600 ?
> encryption_algorithm 3des;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate ;
> }
You need to confirm with them what the pfs_group, duration, encryption and
hmac are on their end and then check what you have configured your end
*exactly* the same - see below.
> They actually suggested that on my end I change the definition of ipsec to:
>
> SRC=y.y.y.201
> DST=x.x.x.x.103
> DSTNET=x.x.x.106/32
> TYPE=IPSEC
> ONBOOT=no
> IKE_METHOD=PSK
Fair enough, they must have made it work before with such a configuration (one
would hope).
> Oh and I asked them to change the configuration to set both my tunnel
> endpoint and service IP to y.y.y.201 just in case it makes config a little
> easier.
Well, it depends whether you have a gateway interface which is different to
your end point. If not, then you can use the same address since it is the
same network interface.
> With this config it works as before except the message has changed to
> NO-PROPOSAL-CHOSEN. Here is the complete log.... They had no further advise
> as to what might be wrong....
[snip ...]
> racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be
deleted.
This is complaining that the remote peer's Phase 2 configuration is different
to your racoon Phase 2 configuration.
Can you please check with them what ipsec Phase 2 parameters they have set up
at their end (especially duration) and then configure yours accordingly.
If Phase 2 was being successful you would see something like this:
DEBUG: type=Life Type, flag=0x8000, lorv=seconds
DEBUG: type=Life Duration, flag=0x8000, lorv=28800
DEBUG: Compared: DB:Peer
DEBUG: (lifetime = 28800:28800) <--duration match
DEBUG: (lifebyte = 0:0)
DEBUG: enctype = 3DES-CBC:3DES-CBC
DEBUG: (encklen = 0:0)
DEBUG: hashtype = SHA:SHA
DEBUG: authmethod = pre-shared key:pre-shared key
DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group
DEBUG: an acceptable proposal found.
In your case an acceptable proposal is not found, because I suspect the
duration is incorrectly configured in racoon.
HTH.
> On Tue, Apr 3, 2012 at 11:55 PM, Mick <michaelkintzios@...> wrote:
> > On Tuesday 03 Apr 2012 17:57:49 you wrote:
> > > Hi Mick,
> > >
> > > I have uninstalled openswan and indeed now I can restart racoon and are
> > > able to try connecting again but still the same problem and error
> >
> > message.
[snip ...]
> > Let's look at your configuration again:
> >
> > SRC=y.y.y.201
> > SRCNET=y.y.y.0/24
> > DST=x.x.x.103
> > DSTNET=x.x.x.0/24
> > TYPE=IPSEC
> > ONBOOT=no
> > IKE_METHOD=PSK
> >
> >
> > Try this in case it fixes your problem:
> >
> > TYPE=IPSEC
> > ONBOOT=no
> > IKE_METHOD=PSK
> > SRCGW=y.y.y.201
> > DSTGW=x.x.x.103
> > SRCNET=y.y.y.0/24
> > DSTNET=x.x.x.0/24
> > DST=x.x.x.106
> >
> > --
> > Regards,
> > Mick
--
Regards,
Mick